10-year-old uncovers Instagram security flaw, earns top bug bounty reward

A 10-year-old boy has been awarded $10,000 after discovering a vulnerability in the photo-sharing platform Instagram.

According to local Finnish publication Iltalehti, the child, Jani, from Helsinki, discovered the Instagram vulnerability in March.

More security news

The security flaw allowed the young researcher to delete comments and descriptions connected to Instagram photos by inserting malicious code into the comment field.

There was no limitation on what the 10-year-old could delete; as Jani told Iltalehti, he “would have been able to eliminate anyone, even Justin Bieber.”

The security flaw, impacting the Facebook-owned photo sharing platform, was disclosed through the social media giant’s bug bounty program. After Jani provided proof by deleting a comment on a test account, Facebook’s team acknowledged the issue and developed a fix for the vulnerability.

Facebook awards researchers a minimum of $500 per valid disclosure, but the reward increases depending on the severity of the flaw. Jani’s bug was considered impressive enough to warrant one of the higher amounts, leading to a $10,000 reward.

Facebook’s bug bounty program requires researchers to adhere to the social media giant’s terms of service, which includes a basic age requirement — something the child doesn’t even match.

However, the award was still made.

What does Jani, an aspiring security expert, plan to do with his winnings? Buy a new PC and bike, of course.

Read on: Top picks